# SmRemote Service Charter

## Mission
- Provide a remote SM2 signing service that integrates with the cryptography plugin stack.

## Responsibilities
- Host the SM2 signing API with strict input validation and auth.
- Bridge requests to the configured remote HSM or key service.
- Ensure deterministic signing outputs and audit logging.
- Maintain offline-safe operation when remote endpoints are allowed.

## Required Reading
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/cryptography/architecture.md

## Working Agreement
- Never log key material, raw digests, or secrets.
- Use TimeProvider and IGuidGenerator for timestamps and request ids.
- Use InvariantCulture for parsing and formatting.
- Propagate CancellationToken to all IO calls.
- Network access only to configured HSM endpoints; no ambient network calls.

## Testing Strategy
- Unit tests for request validation and error mapping.
- Integration tests with mocked HSM endpoints and deterministic fixtures.
- Security tests for auth, scope enforcement, and input bounds.

## Service Endpoints
- Development: https://localhost:10310, http://localhost:10311
- Local alias: https://smremote.stella-ops.local, http://smremote.stella-ops.local
- Env var: STELLAOPS_SMREMOTE_URL